diff --git a/ansible/roles/openldap_server/defaults/main.yaml b/ansible/roles/openldap_server/defaults/main.yaml new file mode 100644 index 0000000..59d2265 --- /dev/null +++ b/ansible/roles/openldap_server/defaults/main.yaml @@ -0,0 +1,8 @@ +ldap_domain: example.com +ldap_basedn: dc=example,dc=com + +ldap_admin_dn: cn=admin,{{ ldap_basedn }} +ldap_bind_dn: cn=binduser,{{ ldap_basedn }} + +ldap_cert_path: /etc/openldap/certs/ldap.crt +ldap_key_path: /etc/openldap/certs/ldap.key diff --git a/ansible/roles/openldap_server/tasks/acls.yaml b/ansible/roles/openldap_server/tasks/acls.yaml new file mode 100644 index 0000000..fdb216e --- /dev/null +++ b/ansible/roles/openldap_server/tasks/acls.yaml @@ -0,0 +1,21 @@ +- name: Set LDAP ACLs + community.general.ldap_attrs: + dn: olcDatabase={2}mdb,cn=config + state: exact + attributes: + olcAccess: + - >- + to attrs=userPassword + by dn="{{ ldap_admin_dn }}" write + by dn="{{ ldap_bind_dn }}" read + by self write + by * none + - >- + to * + by dn="{{ ldap_admin_dn }}" write + by dn="{{ ldap_bind_dn }}" read + by self read + by * none + args: + server_uri: ldapi:/// + sasl_mech: EXTERNAL diff --git a/ansible/roles/openldap_server/tasks/config.yaml b/ansible/roles/openldap_server/tasks/config.yaml new file mode 100644 index 0000000..b008211 --- /dev/null +++ b/ansible/roles/openldap_server/tasks/config.yaml @@ -0,0 +1,11 @@ +- name: Configure database suffix + community.general.ldap_attrs: + dn: olcDatabase={2}mdb,cn=config + state: exact + attributes: + olcSuffix: "{{ ldap_basedn }}" + olcRootDN: "{{ ldap_admin_dn }}" + args: + server_uri: ldapi:/// + sasl_mech: EXTERNAL + diff --git a/ansible/roles/openldap_server/tasks/install.yaml b/ansible/roles/openldap_server/tasks/install.yaml new file mode 100644 index 0000000..6b9e726 --- /dev/null +++ b/ansible/roles/openldap_server/tasks/install.yaml @@ -0,0 +1,57 @@ +- name: Install epel + package: + name: epel-release + state: present + +- name: Install openldap server and other required packages + package: + name: + - openldap-servers + - openldap-clients + - openldap-devel + - cyrus-sasl-devel + - openssl + - openssl-devel + state: present + +- name: Permanently enable ldap service firewalld + ansible.posix.firewalld: + service: ldap + state: enabled + permanent: true + immediate: true + offline: true + +- name: Permanently enable ldaps service firewalld + ansible.posix.firewalld: + service: ldaps + state: enabled + permanent: true + immediate: true + offline: true + +- name: Create ldifs directory + file: + path: /etc/openldap/ldifs + state: directory + mode: '0700' + owner: ldap + group: ldap + +- name: Set upldap.conf base + lineinfile: + path: /etc/openldap/ldap.conf + regexp: '^#BASE' + line: 'BASE: dc=ldap,dc=home,dc=jthan,dc=io' + +- name: Setup ldap.conf URIs + lineinfile: + path: /etc/openldap/ldap.conf + regexp: '^#URI' + line: 'URI: ldap://ldap.home.jthan.io' + +- name: Enable slapd + service: + name: slapd + state: started + enabled: yes diff --git a/ansible/roles/openldap_server/tasks/main.yaml b/ansible/roles/openldap_server/tasks/main.yaml index 33ef847..757a988 100644 --- a/ansible/roles/openldap_server/tasks/main.yaml +++ b/ansible/roles/openldap_server/tasks/main.yaml @@ -1,80 +1,5 @@ -- name: Install epel - package: - name: epel-release - state: present - -- name: Install openldap server and other required packages - package: - name: - - openldap-servers - - openldap-clients - - openldap-devel - - cyrus-sasl-devel - - openssl - - openssl-devel - state: present - -- name: Permanently enable ldap service firewalld - ansible.posix.firewalld: - service: ldap - state: enabled - permanent: true - immediate: true - offline: true - -- name: Permanently enable ldaps service firewalld - ansible.posix.firewalld: - service: ldaps - state: enabled - permanent: true - immediate: true - offline: true - -- name: Create ldifs directory - file: - path: /etc/openldap/ldifs - state: directory - mode: '0700' - owner: ldap - group: ldap - -- name: Copy default configuration ldif - copy: - src: /usr/share/openldap-servers/slapd.ldif - dest: /etc/openldap/ldifs/slapd.ldif - owner: ldap - group: ldap - mode: '0600' - force: false - remote_src: true - -- name: Set upldap.conf base - lineinfile: - path: /etc/openldap/ldap.conf - regexp: '^#BASE' - line: 'BASE: dc=ldap,dc=home,dc=jthan,dc=io' - -- name: Setup ldap.conf URIs - lineinfile: - path: /etc/openldap/ldap.conf - regexp: '^#URI' - line: 'URI: ldap://ldap.home.jthan.io' - -- name: Set olcSuffix for domain - lineinfile: - path: /etc/openldap/ldifs/slapd.ldif - regexp: '^olcSuffix:' - line: 'olcSuffix: dc=ldap,dc=home,dc=jthan,dc=io' - -- name: Set olcRootDN - lineinfile: - path: /etc/openldap/ldifs/slapd.ldif - regexp: '^olcRootDN:' - line: 'olcRootDN: cn=Manager,dc=ldap,dc=home,dc=jthan,dc=io' - -#- name: Start and enable slapd -# service: -# name: slapd -# state: started -# enabled: true - +- import_tasks: install.yaml +- import_tasks: schemas.yaml +- import_tasks: config.yaml +- import_tasks: tls.yaml +- import_tasks: acls.yaml diff --git a/ansible/roles/openldap_server/tasks/schemas.yaml b/ansible/roles/openldap_server/tasks/schemas.yaml new file mode 100644 index 0000000..959df91 --- /dev/null +++ b/ansible/roles/openldap_server/tasks/schemas.yaml @@ -0,0 +1,31 @@ +- name: List existing schemas + command: > + ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn + register: ldap_schemas + changed_when: false + +- name: Load cosine schema + command: > + ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif + when: "'cn=cosine,cn=schema,cn=config' not in ldap_schemas.stdout" + +- name: Load inetorgperson schema + command: > + ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif + when: "'cn=inetorgperson,cn=schema,cn=config' not in ldap_schemas.stdout" + +- name: Load nis schema + command: > + ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif + when: "'cn=nis,cn=schema,cn=config' not in ldap_schemas.stdout" + +- name: Load sudo schema + command: > + ldapadd -Y EXTERNAL -H ldapi:/// -f /usr/share/doc/sudo/schema.OpenLDAP + when: "'cn=sudo,cn=schema,cn=config' not in ldap_schemas.stdout" + +- name: Load OpenSSH public key schema + command: > + ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/openssh-lpk.ldif + when: "'cn=openssh-lpk,cn=schema,cn=config' not in ldap_schemas.stdout" + diff --git a/ansible/roles/openldap_server/tasks/tls.yaml b/ansible/roles/openldap_server/tasks/tls.yaml new file mode 100644 index 0000000..1e69df6 --- /dev/null +++ b/ansible/roles/openldap_server/tasks/tls.yaml @@ -0,0 +1,20 @@ +- name: Configure TLS cert + community.general.ldap_attrs: + dn: cn=config + state: present + attributes: + olcTLSCertificateFile: "{{ ldap_cert_path }}" + olcTLSCertificateKeyFile: "{{ ldap_key_path }}" + args: + server_uri: ldapi:/// + sasl_mech: EXTERNAL + +- name: Require TLS + community.general.ldap_attrs: + dn: olcDatabase={2}mdb,cn=config + state: present + attributes: + olcSecurity: tls=1 + args: + server_uri: ldapi:/// + sasl_mech: EXTERNAL